Entity security implied by an asset in a repository system

ABSTRACT

Techniques are described for managing access to a repository system storing information (e.g., metadata) about objects (e.g., an application, a process, or a service) in a computing environment. The repository system can store a data structure (an “entity”) that includes information about an object. An entity can have an association with one or more collections of entities (“assets”) that classify a collection of entities. Access to perform actions (e.g., create, read, update, or delete) an entity can be managed based on an entitlement, which grants a right to access information in the entity and/or at least one asset having an association with the entity. The repository system can manage access to one or more entities based on rights implied by an entitlement to access one or more assets associated with those entities.

CROSS-REFERENCES TO RELATED APPLICATIONS

The present application claims priority and benefit from U.S.Provisional Application No. 61/880,832, filed Sep. 20, 2013, entitled“ENTITY SECURITY IMPLIED BY AN ASSET IN A REPOSITORY SYSTEM,” the entirecontents of which are incorporated herein by reference for all intentsand purposes.

TECHNICAL FIELD

The present disclosure relates generally to managing access a repositorysystem.

BACKGROUND

Repository systems can perform various functions including managinginformation about objects (e.g., an application, a process, a service,or a component) an in a computing environment. Some repository systemsmay associate a collection of related objects in an asset. An asset maybe used to manage information about the collection of objects.Repository systems may vary in the ways by which access is permitted toinformation stored about an object. A repository system may be accessedby users associated with different types of roles for operating therepository system. A role associated with a user may enable the user tohave rights to access information related to an object stored in therepository system.

Some repository systems may administer access to a repository system ina coarse-grained fashion. In such implementations, access to informationassociated with objects in an asset can be determined based on theentire asset as a whole such that access may be based on access to allof the objects in the asset. For example, a composite application can bedefined as an asset having objects including composite services,references, and components. The objects can be modeled as attributes ofthe asset representing the composite application. However, access toinformation about individual objects that define an asset may not bepermitted because the objects may be modeled as attributes of the assetand access may be controlled with respect to the asset. As a result,access may not be permitted for the individual objects that define theasset. In other implementations, a repository system may manage accessto objects individually in a fine-grained manner. Using a fine-grainedapproach, access to each object can be determined based on access withrespect to each object; however, the repository system can incur asignificant amount of processing time to determine access to individualobjects, as there may be many objects stored in a repository system.

In a repository system that can store information for a large amountobjects, performance for processing requests to access different objectsmay place a burden on overall processing performance for the repositorysystem. Additional processing that may be performed to determine accessfor each object in a collection of objects can result in increasedprocessing time to determine access to information about each object.

BRIEF SUMMARY

The present disclosure relates generally to techniques for managingaccess to a repository system for information (e.g., metadata) aboutobjects in a computing environment. In certain embodiments, a computingenvironment can include many types of objects including an application,a process, a service, a method, or other object in a computingenvironment. The repository system can store a data structure (an“entity”) that includes information (e.g., metadata) about an object ina computing environment. An entity can have an association with one ormore collections of entities (“assets”) that classify a collection ofentities. Access to a repository system to perform actions with respectto an entity can be managed based on entitlements (e.g., a privilege)granting rights with respect to the entity itself and/or at least oneasset having an association with the entity.

In certain embodiments, actions that can be performed on an entity caninclude creating an entity, reading an entity, updating an entity,deleting entity, or other actions that can be performed with respect toan entity. The repository system can manage access to one or moreentities based on rights implied by entitlements to access one or moreassets associated with those entities. An entitlement can indicatecriteria corresponding to a type of access permitted for entitiesassociated with an asset. For example, an entitlement can indicate theactions (e.g., create, read, update, or delete) that are permitted foran asset including the entities associated with the asset. In certainembodiments, a repository system can manage entitlements in one or moreaccess policies. For example, when an access policy is applied to acomposite asset, the entitlements indicated by the access policy can beimplied for all entities included in that composite asset, such ascomposite services, composite applications, and components. Thus,entities associated with an asset may be subject to the entitlementsthat are applicable to the asset.

In certain embodiments, the repository system can use access policies toauthorize access to the repository system by authenticated users. Anauthorized user of the repository system can be assigned to one or moreroles (e.g., a developer, an architect, a leader, a tester, etc.) foroperating the repository system. A user may be granted rights to accessthe system based on the role in which the user operates the system. Theaccess policy can indicate criteria for one or more entitlements (e.g.,privileges) granting access to one or more roles defined in therepository system. Each entitlement can indicate an asset to whichaccess is permitted and the roles, which are permitted to access theasset. The entitlement can indicate the actions that are permitted forthe asset. The repository system can permit access to perform theactions permitted on an asset by a user assigned to one of the rolesindicated in the entitlement. In some embodiments, an entitlement caninclude a criterion indicating one or more entities corresponding to anobject associated with an asset for which access is permitted.

By managing access to entities implied by access to assets in arepository system, performance of the repository system can be improvedwhen determining access to information in a repository. For instance,processing can be dramatically reduced because access to entities can beimplied based on assets associated with those entities, such that therepository system can reduce processing to determine access for eachentity individually.

According to at least one example, techniques may be provided formanaging access to an asset to control access to entities associatedwith the asset. Such techniques may be implemented by a computing system(e.g., a repository system). The computer system may include one or moreprocessors and one or more memory devices coupled with and readable byone or more processors. The one or more memory devices may store a setof instructions that, when executed by the one or more processors,causes the one or more processors to perform the techniques disclosedherein. The techniques can include a computer-implemented method. Themethod can include receiving a request by a user to perform an action(e.g., create, read, update, or delete) on a first entity of a pluralityof entities in a repository system. Each entity in the plurality ofentities can have an association with at least one asset in therepository system. An entity may include information about an objectstored in the repository system. The method can include determining,based on a role of a user associated with the user request, whether theuser is entitled to access an asset associated with the first entity.The method may include determining a plurality of assets that a role ofa user is entitled to access. The method may further includeidentifying, from the plurality of assets, an asset associated with thefirst entity. The method can include determining whether the requestedaction is a permitted action. The method can include, upon determiningthat that the requested action is a permitted action, performing therequested action on the first entity. The method can include, upondetermining that the requested action is not a permitted action,preventing the requested action from being performed on the firstentity.

In certain embodiments, the method performed by the computing system mayfurther include determining one or more assets accessible by the role ofthe user. The method may further include identifying one or moreentities that have an association with the one or more assets accessibleto the role. The user may be entitled to access the asset associatedwith the first entity based upon determining that the one or moreidentified entities includes the first entity.

In certain embodiments, where an action is to retrieve informationassociated with the first entity, preventing the requested action frombeing performed on the first entity includes preventing the requestedinformation associated with the first entity from being provided to theuser.

In certain embodiments, where a requested action is to modifyinformation associated with the first entity, preventing the requestedaction from being performed includes preventing the informationassociated with the first entity from being modified according to therequest.

In certain embodiments, where a requested action is to removeinformation associated with the first entity, preventing the requestedaction from being performed includes preventing the informationassociated with the first entity from being removed.

In certain embodiments, where a requested action is to create the firstentity, preventing the requested action from being performed includespreventing the first entity from being created.

In certain embodiments, where a request includes a query, which includescriteria indicating entities to which the action is to be performed, arequested action is performed based on the criteria in the query.

In certain embodiments, the method performed by the computing system mayfurther include determining one or more assets accessible by the role ofthe user and modifying the criteria of the query to include additionalcriteria that indicates the action is not to be performed for theentities not having an association with the one or more assets.

The following detailed description together with the accompanyingdrawings will provide a better understanding of the nature andadvantages of embodiments of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a computing environment according to one embodiment of thepresent invention.

FIG. 2 shows a repository system according to one embodiment of thepresent invention.

FIG. 3 shows a diagram illustrating a relationship of entitlements toassets associated with entities according to an embodiment of thepresent invention.

FIG. 4 shows data structures of an asset and entities associated with anasset according to an embodiment of the present invention.

FIG. 5 shows an access policy indicating criteria for an entitlement toaccess an asset according to an embodiment of the present invention.

FIG. 6 is a flowchart illustrating a process for managing access to anentity implied by access to an asset associated with the entity anembodiment of the present invention.

FIG. 7 depicts a simplified diagram of a distributed system forimplementing one of the embodiments.

FIG. 8 is a simplified block diagram of components of a systemenvironment by which services provided by the components of anembodiment system may be offered as cloud services, in accordance withan embodiment of the present disclosure.

FIG. 9 illustrates an exemplary computer system, in which variousembodiments of the present invention may be implemented.

DETAILED DESCRIPTION

In the following description, for the purposes of explanation, specificdetails are set forth in order to provide a thorough understanding ofembodiments of the invention. However, it will be apparent that variousembodiments may be practiced without these specific details. The figuresand description are not intended to be restrictive.

Systems depicted in some of the figures may be provided in variousconfigurations. In some embodiments, the systems may be configured as adistributed system where one or more components of the system aredistributed across one or more networks in a cloud computing system.

The present disclosure relates generally to techniques for managingaccess to a repository system for information (e.g., metadata) aboutobjects in a computing environment. In certain embodiments, a computingenvironment can include many types of objects including an application,a process, a service, a method, or other object in a computingenvironment. The repository system can store a data structure (an“entity”) that contains metadata about an object in a computingenvironment. An entity can have an association with one or morecollections of entities (“assets”) that classify a collection ofentities. Access to a repository system to perform actions with respectto an entity can be managed based on entitlements (e.g., a privilege)granting rights with respect to the entity itself and/or at least oneasset having an association with the entity.

In certain embodiments, actions that can be performed on an entity caninclude creating an entity, reading an entity, updating an entity,deleting entity, or other actions that can be performed with respect toan entity. The repository system can manage access to one or moreentities based on rights implied by entitlements to access one or moreassets associated with those entities. An entitlement can indicatecriteria corresponding to a type of access permitted for entitiesassociated with an asset. For example, an entitlement can indicate theactions (e.g., create, read, update, or delete) that are permitted foran asset including the entities associated with the asset. In certainembodiments, a repository system can manage entitlements in one or moreaccess policies. For example, when an access policy is applied to acomposite asset, the entitlements indicated by the access policy can beimplied for all entities included in that composite asset, such ascomposite services, composite applications, and components. Thus,entities associated with an asset may be subject to the entitlementsthat are applicable to the asset.

In certain embodiments, the repository system can use access policies toauthorize access to the repository system by authenticated users. Anauthorized user of the repository system can be assigned to one or moreroles (e.g., a developer, an architect, a leader, a tester, etc.) foroperating the repository system. A user may be granted rights to accessthe system based on the role in which the user operates the system. Theaccess policy can indicate criteria for one or more entitlements (e.g.,privileges) granting access to one or more roles defined in therepository system. Each entitlement can indicate an asset to whichaccess is permitted and the roles, which are permitted to access theasset. The entitlement can indicate the actions that are permitted forthe asset. The repository system can permit access to perform theactions permitted on an asset by a user assigned to one of the rolesindicated in the entitlement. In some embodiments, an entitlement caninclude a criterion indicating one or more entities corresponding to anobject associated with an asset for which access is permitted.

By managing access to entities implied by access to assets in arepository system, performance of the repository system can be improvedwhen determining access to information in a repository. For instance,processing can be dramatically reduced because access to entities can beimplied based on assets associated with those entities, such that therepository system can reduce processing to determine access for eachentity individually.

FIG. 1 shows a computing environment 100 according to one embodiment ofthe present invention. Specifically, in the computing environment 100,access to assets managed by the repository store 170 may be determined.Access to an asset can be used to determine implied access to one ormore entities having an association with the asset.

The computing environment 100 can include a client system 102, arepository system 110, and one or more data stores including arepository store 170 and a security store 160. The repository store 170can store entity information 174 about each entity of a plurality ofentities. An entity can be represented by a data structure that storesinformation (e.g., metadata) about an object in a computing environment.The data structure can include, without restriction, a linked list, arecord, a hash table, or the like. An object can include an application,a process, a service, an endpoint device, a method, or other object in acomputing environment. Information about an object can be stored in oneor more entities. An entity can store information about one or moreobjects. The entity can include information such as a location of theobject, an identifier of the object, a type of the object, and arelationship to other types of objects. The repository system 110 canstore asset information 172 in the repository store 170. The assetinformation 172 can include information about each asset of a pluralityof assets managed by the repository system 110. An asset can berepresented by a data structure that stores information (e.g., metadata)about a collection of entities in a computing environment. Each entitycan be stored in the repository data store 170 in association with atleast one asset in the repository system. The repository system 110 canreceive requests to access to the information stored in the repositorystore 170. The repository system 110 can receive requests formattedaccording to a query language. The supported query languages can includeJava Persistence API Query Language (JPQL), Apache Lucene®, a full textsearch language, or other types of query languages.

It should be appreciated that various different system configurationsare possible, which may be different from the computing system 100. Theembodiment shown in the figure is thus one example of a computing systemfor implementing an embodiment system and is not intended to belimiting. For purposes of illustration, specific embodiments aredescribed herein for techniques for enabling a repository system (e.g.,the repository system 110) determine access to an entity based on havingan association with at least one asset that includes the entity.

In some embodiments, the client system 102 and the repository system 110can be implemented in different computing systems or a single computingsystem. The client system 102 and the repository system 110 cancommunicate with each other via a network (not shown). Examples ofcommunication networks can include the Internet, a mobile network, awireless network, a cellular network, a local area network (LAN), a widearea network (WAN), other communication networks, or combinationsthereof.

The security store 160 and/or the repository store 170 can beimplemented using any type of persistent storage device, such as amemory storage device or other computer-readable storage medium. In aparticular embodiment, one or more of data stores 160, 170 can beimplemented using a database (e.g., a document database, a relationaldatabase, or other type of database), a file store, a lightweightdirectory access protocol (LDAP) implemented store, or a combinationthereof.

The client system 102 (e.g., “a client”) may be a computing systemimplemented in hardware, firmware, software, or combinations thereof, toenable a user to communicate with the repository system 110. A user canoperate the client system 102 to communicate a request, e.g., a request108, to the repository system 110 and receive responses (e.g., theresponse 112) from the repository system 110. The request 108 canindicate an action requested to be performed on information for one ormore objects managed by the repository system 110. The actions caninclude creating an entity, reading an entity, updating an entity, ordeleting an entity. In some embodiments, an action can be directedtowards an entity, but may not change information stored for an entitycorresponding to the object. In certain embodiments, the request 108 canbe communicated by a user associated with a role for operating therepository system 110.

Examples of the client system 102 include an endpoint, a personaldigital assistant (PDA), a tablet computer, a laptop computer, a desktopcomputer, a wearable computer, a pager, etc. The client system 102 caninclude one or more memory storage devices and one or more processors. Amemory storage device can be accessible to the processor(s) and caninclude instructions stored thereon that, when executed by theprocessor(s), cause the processor(s) to implement one or more operationsdisclosed herein. In various embodiments, the client system 102 may beconfigured to execute and operate a client application such as a webbrowser, proprietary client applications, or the like. The clientapplications may be accessible or operated via one or more network(s).In some embodiments, the client system 102 can be associated with orimplemented in the repository system 110.

In certain embodiments, the client system 102 can present a graphicaluser interface (GUI) 104 to facilitate communication with the repositorysystem 110. The GUI 104 can include or implement a repository accessenabler 106 to further assist the user in communicating the request 108to the repository system 110. The repository access enabler 106 canpresent one or more GUIs that enable a user to include a criterion inthe request 108 to indicate an action to be performed on particularassets and/or entities managed by the repository system 110. Forexample, the repository access enabler 106 can enable users to search,browse, view, or edit entities and/or assets under management of therepository system 110. The repository access enabler 106 may beconfigured to present information based stored by the repository system110 for assets and/or entities. The repository access enabler 106 canpresent the response 112 when received from the repository system 110 inresponse to the request 108.

The client system 102 can access asset information 172 and/or entityinformation 174 from the repository system 110 based on a user'sentitlement to access one or more assets in the repository system 110.The response 112 received by the client system 102 can includeinformation stored in the repository store 170 as a result of performingthe request action for the request 108. In certain embodiments, theresponse 112 can include information responsive to the request 108 toaccess a particular asset and/or an entity. In some embodiments, theresponse 112 can include a notification about the requested action 108.The notification can indicate why an asset and/or an entity could not beaccessed by the user. The response 112 can include a portion of theentity information 174 requested if access is not permitted for allobjects indicated in the request 108. In certain embodiments, therepository system 110 can provide one or more GUIs that can present theentity information 174 responsive to the request 108.

In certain embodiments, the client system 102 can enable a user (e.g.,an administrator) to manage one or more access policies 162 used by therepository system 110 to manage access to the repository system 110. TheGUI 104 can enable the user to specify a criterion for an access policy162 including one or more entitlements for one or more roles foraccessing the repository system 110. The GUI 104 can enable the user toadminister management of users and roles for accessing the repositorysystem 110. Details about access policies are described below withreference to FIGS. 1 and 3-5.

The repository system 110 can be implemented in hardware, firmware,software, or combinations thereof, to manage access to informationstored in one or more data stores including the repository store 170 andthe security store 160. The repository system 110 can be implementedwith one or more server computers, e.g., a server computer 150, whichcan perform operations for the repository system 110. The servercomputer 150 can communicate with a client (e.g., the client system 102)to receive the requests 108 and to provide the responses 112.

In certain embodiments, the server computer 150 can include or canimplement a web server computer (e.g., a web server). As a web servercomputer, the server computer 150 can support deployment of differenttypes of applications to one or more client systems (e.g., the clientsystem 102) in a distributed manner. For example, the server computer150 can support the execution of one or more applications, which can beaccessed by one or more client systems, e.g., the client system 102. Theapplications can be provided to the client system 102 to enable a userto operate the repository system 110. The one or more applications canbe accessed and operated via the GUI 104. In certain embodiments, theserver computer 150 can exchange communication with the client system102 to provide on or more services to the client system 102.

The server computer 150 can include or implement a repository manager130 to manage information (e.g., the entity information 174 and theasset information 172) in the repository store 170. In certainembodiments, the entity information 174 and the asset information 172can be managed in the repository store 170 based on a hierarchicalmetadata model derived from one or more formalized metadata models. Theentity information 174 (e.g., metadata) can correspond to informationfor one or more entities. The repository manager 130 can generate theentity information 174 as one or more entities are created for objectsthat are identified in a computing environment. In certain embodiments,the repository manager 130 can generate the entity information 174 basedon information about objects provided by a user via the client system102. The repository manager 130 can store the asset information 172,which includes information about one or more assets in a computingenvironment.

The repository manager 130 can process the requests 108 for therepository system 110. The repository manager 130 can perform operationsto access the repository store 170 based on an action indicated by therequest 108. For example, when the request 108 is to read the entityinformation 174 for one or more entities, the repository manager 130 canretrieve the entity information 174 for the entity and send the response112 with the entity information 174. In another example, when therequested action is modifying an entity, the repository manager 130 canlocate the entity information 174 for the entity and perform the requestaction on the entity. However, the repository manager 130 may determinea user's entitlement to access the repository system 110 beforeprocessing the request 108.

The server computer 150 can include or implement a security manager 140to determine authentication of a user access the repository system 110by users. The security manager 140 can permit access to an individualuser based on association with one or more access groups. A user or agroup of users may be granted authorization based on one or more roles(e.g., a developer, an architect, a leader, a tester, etc.) foroperating the repository system 110. A user may be granted rights toaccess the system based on the role in which the user operates therepository system 110. Access to the entity information 174 and theasset information 172 can be based on the authorization granted to eachuser.

The security manager 140 can manage one or more access policies 162 todetermine access to the repository system 110 by an individual or groupof individual. The access policies 162 can be created and/or managed viathe GUI 104 at the client system 102. The access policy 162 can includeentitlement information 164 indicating a criterion for one or moreentitlements (e.g., privileges) to access the repository system 110.Each entitlement can indicate a right granted (e.g., a privilege) toaccess to one or more roles defined in the repository system 110. Eachentitlement can indicate permissions 166 as to which roles which arepermitted to access the asset. The permissions 166 can indicate theactions that are permitted for the asset. The security manager 140 canpermit access to perform any of the actions permitted on an asset by auser assigned to one of the roles indicated by the entitlement. Thesecurity manager 140 can permit access to entities having an associationwith an asset for which access is permitted according to an entitlementapplicable to a user. In some embodiments, an entitlement can include acriterion indicating particular entities corresponding to an object thatmay be permitted to be accessed from the asset.

FIG. 2 shows a repository system 110 of FIG. 1 according to oneembodiment of the present invention. The repository system 110 caninclude like elements of FIG. 1 represented by like reference numbersand designations. The repository system 110 can include the accessinterface 220 and the server computer 150. The repository system 110 canbe coupled to the security store 160 and the repository store 170.

As explained above, the repository system 110 can manage access toinformation stored in the repository store 170. A user of the clientsystem 102 can send a request (e.g., the request 108) to the repositorysystem 110 to perform an action on one or more entities managed by therepository system. The repository system 110 can determine entitlementsgranted to the user based on the user's role and can perform therequested action based on the rights permitted to the user according tothe granted entitlements. The repository system 110 can provide theresponse 112 to the client system 102 indicating a result of therequested action and the entity information 174 that is accessible ifrequested for the action.

In some embodiments, the repository system 110 can include or implementan access interface 220. The access interface 220 can facilitatecommunication between the client system 102 and the repository system110. The access interface 220 can include one or more callableinterfaces (e.g., an application programming interface) that enable theclient system 102 to communicate with the repository system 110. Therequest 108 and the response 112 can be communicated via the accessinterface 220.

The repository system 110 can be implemented as one or more functionalblocks or modules configured to perform various operations for therequests 108 received by the server computer 150. The function blocks ormodules can be configured to perform functions related to accessing therepository 170 or functions related to the security store 160. Therepository manager 130 can include a request manager 232, an actionmodule 234, an access manager 236, and a display generation module 238.

The display generation module 238 can generate one or more GUIs fordisplay by a client system (e.g., the client system 102). All or aportion of the GUI 104 can be generated by the display generation module238. A GUI generated by the display generation module 238 can beprovided to the client system 102 in the response 112. A displayprovided by the repository access enabler 106 can be generated by thedisplay generation module 238. The display generation module 238 cangenerate a display (e.g., a GUI) to present the results of the action(s)performed for the request 108. In some embodiments, the GUI can includea notification indicating a result of performing the action(s) for therequest 108.

In certain embodiments, the display generation module 238 can generate adisplay providing the asset information 172 and/or the entityinformation 174 that is accessible by a user that accesses therepository system 110. The display can provide the user with assets thatare accessible and the actions that are permitted on those assets. Thedisplay can provide the user with options for selecting entities thatare accessible based on access implied by the assets that are accessibleto the user.

The request manager 232 can receive the request 108 from the clientsystem 102 via the access interface 220. The request manager 232 canprocess the request 108 to determine action(s) requested and the entityinformation 172 and/or the asset information 174 being requested foreach action. Upon determining the criterion in the request 108, therequest manager 232 can provide the criterion indicated in the request108 to the access manager 236 to determine whether a user associatedwith the request 108 is entitled to perform the requested action(s) inthe request 108. In some embodiments, the criterion can include or canbe specified according to a query indicating the entities for which therequest action is to be performed. The query can be specified accordingto a query language (e.g., JPQL or Apache Lucene®) supported by therepository system 110.

The access manager 236 can determine authorization for the user to makethe request 108. The access manager 236 can communicate with thesecurity manager 140 to determine authorization for the action(s)indicated in the request 108. To determine authorization, the securitymanager 140 can be requested to determine the assets for which the useris entitled to access based on the role of the user. In someembodiments, the access manager 236 can determine one or more assetsfrom the asset information 172 that are associated with each of thetypes of entities indicated in the request 108. The identified assetscan be provided to the security manager 140 to determine access to theassets based on the role of the user. In some embodiments, the accessmanager 236 can request the security manager 140 to determine theentitlement of the role based on the types of entities identified foreach action indicated in the request 108.

The access manager 236 can receive information from the security manager140 indicating the assets that the role is entitled to access. Theinformation from security manager 140 can include the actions permittedfor the assets to which the role is entitled to access. In someembodiments, the information received from the security manager 140 canindicate the entities of the assets that are accessible to the role. Theinformation received from the security manager 140 can indicate one ormore obligations that indicate restrictions for accessing particularentities associated with an asset that a role is entitled to access. Insome embodiments, the access manager 232 can receive information fromthe security manager 140 indicating an error or notification that therole is not authorized to access all or a portion of assets associatedwith one or more entities indicated in the request 108.

Based on the entitlements granted to the role of the user associatedwith the request 108, the access manager 236 can determine whether therole of the user is permitted to access each entity identified in therequest 108. The access manager 236 can retrieve from the repositorystore 170 the entity information 174 to identify each entity having anassociation with one or more of the assets to which the role is entitledto access. With the exception of entities for which an obligation isdefined in an entitlement, the role of the user can be granted anentitlement which provides an implied access to any of the entitieshaving an association with one or more of the assets the role isentitled to access. The access manager 236 can determine whether any ofthe entities corresponding to an action in the request 108 are includedin the identified entities that have an association with one or more ofthe assets the role is entitled to access.

Based upon the authorization received from the access manager 236, therequest manager 232 can instruct the action module 234 to perform theaction(s) for which the user is entitled to perform for the entitiesindicated by the request 108. The access manager 236 can determineactions the role is entitled to perform based on the entities the roleis entitled to access. When requesting the action module 234 to performactions for the request 108, the request manager 232 can indicate theactions to be prevented from being performed for each entity that therole is not entitled to access. When the action to be prevented is aread action for a particular entity, the access manager 236 can indicateto the request manager 232 to prevent the information for the particularentity from being provided to the client system 102 to be presented tothe user. When the action to be prevented is an action to create anentity, the access manager 236 can indicate to the request manager 232to prevent the entity from being created. When the action (e.g., modifyor delete) to be prevented is to be performed on an existing entity, theaccess manager 236 can indicate to the request manager 232 to preventthe action from being performed.

In some embodiments, the request manager 232 can instruct the actionmodule 234 to perform one or more actions for the request 108 based on aquery. The request manager 232 can generate a query that indicates theactions for entities a user associated with the request 108 are entitledto perform. In certain embodiments, the query can be generated using afull-text search language (e.g., Apache Lucene®), JPQL, or other querylanguage. The query can also be based on a query (e.g., a JPQL query)indicated in the request 108. In some embodiments, the request manager232 can modify the received query based on entities the role of the useris entitled to access. For example, the request manager 232 can modify aquery indicated in the request 108 to prevent entities that are notentitled to access from being requested from the repository system 110.The query can be modified by to include an additional criterion thatindicate the assets the user is permitted to access. The query indicatedin the request 108 can be modified to include a criterion indicating theactions that can be performed on entities the role of the user isentitled to access. In some embodiments, when the action indicated inthe request is an action other than a read action, the query can bemodified to include information (e.g., an identifier of an entity) abouteach entity the user is permitted to access based on the entitlements tothe role of the user.

In certain embodiments, the request manager 232 can modify the query toinclude a negative criterion or conditions indicating entities, assets,actions, or a combination thereof that are to be excluded when actionsare performed for the query. For example, the query in the request 108can be modified to indicate the entities in the query on which the useris not entitled to access so as to prevent the action module fromperforming actions for entities the role is not entitled to access. Forexample, the query can be modified to indicate the actions that are notto be performed for the entities that do not have an association withthe one or more assets the role is entitled to access.

The action module 234 can access (e.g., query, retrieve, store, etc.)the repository store 170 on behalf of the repository system 110. Inparticular, the action module 234 can perform one or more actionsindicated by the request manager 232. The action module 234 can receivea criterion from the request manager 232 indicating the actionsrequested for the entities which the user is permitted to access. Upondetermining results of the action(s) performed, the action module 234can provide the results to the request manager 232. Alternatively oradditionally, the results can be provided to the display generationmodule 238 to generate a display of the results.

The security manager 140 can perform authentication of users of therepository system 110. The security manager 140 can manage securitybased on a security model that determines authorization to access basedon authenticated users. A user can be identified by a username. The usermust present appropriate credentials to be authenticated by the securitymanager 140. A user can be assigned to one or more roles and those rolesare assigned to entitlements before one or more the entity information174 for objects can be accessed. The security manager 140 can manageentitlements for access to the information stored in the repositorystore 170. The access policies 162 managed by the security manager 140can be stored in the security store 170.

The security manager 140 can be implemented as one or more functionalblocks or modules configured to perform various operations fordetermining authorization to access information stored by the repositorysystem 110. The function blocks or modules can be configured to performfunctions related to determining access to the repository 170 orfunctions related to obtaining information from the security store 160.The security manager 140 can include a policy management module 242 andan authorization module 244. In certain embodiments, the securitymanager 140 can include an interface 246 (e.g., an applicationprogramming interface) to enable access to functions provided by thesecurity manager 140. The interface 246 can enable the security manager140 to receive requests to perform authentication of a user and theuser's requests.

The policy management module 242 can manage the access policies 162stored in the security store 160. Through the interface 246, the policymanagement module 242 can receive requests to manage (e.g., create,read, update, and delete) an access policy. The policy management module242 can perform the requests to obtain information (e.g., theentitlement information 164) from the access policy 162. The policymanagement module 242 can determine entitlements that are applicable toa role of a user. The requests can include a criterion to include in anaccess policy 162. The policy management module 242 can update or createan access policy based on the criterion. An example of an access policyis described below with reference to FIGS. 3 and 5.

The authorization module 244 can determine authorization for a user toaccess the repository system 110. Via the interface 246, theauthorization module 244 can receive requests from the repositorymanager 130 to determine authorization for a role of the user to accessone or more entities. A request can include information such as the roleof the user, the types of entities requested for access, the actionsrequested to be performed on those entities, or a combination thereof.In some embodiments, the request can include the assets associated withthe types of entities indicated in the request 108.

The authorization module 244 can communicate with the policy managementmodule 242 to determine entitlements for the role of the user for therequested action(s). Based on the entitlement information 162, theauthorization module 244 can determine the assets accessible to the rolefor the user. The assets accessible to the user can be used to implyaccess to types of entities having an association with those assets. Insome embodiments, the authorization module 244 can determine whether oneor more of the types of entities indicated in the request 108 have anassociation with at least one asset identified in an entitlement for therole. The authorization module 244 can determine the obligations for therole. The obligations can indicate the actions that the user is entitledto perform for the types of entities requested by the user. Theobligations can also indicate all types of entities that can be accessedby the role and the actions that are permitted for each of the types ofentities.

The authorization module 244 can provide the repository manager 130 witha response indicating the obligations for the role including the actionspermitted for the entities requested by the user. In some embodiments,the authorization module 244 can provide the repository manager 130 withthe entitlement information, including the assets that are accessible tothe role of the user in response to a request for authorization. In suchembodiments, the authorization module 244 can indicate the assets thatare permitted to be access for specific type of entities requested bythe user and the actions that can be performed with respect to thosepermitted assets.

By managing entitlements to access information in a repository based onaccess to a group of objects, a repository system can reduce processingtime to determine specific objects that a user with a role is permittedto act upon. Grouping information about objects into a collectionenables an administrator to control access to groups of objects thatcertain types of roles can access. Therefore, in a repository systemhaving many objects, managing objects in a group of objects rather thaneach object individually can ease efforts for managing administration bypermitting access to be managed more easily in a coarse grained mannerwith respect to a group of objects. However, the repository system caneasily manage access to objects individually based on entitlements thatare defined with respect to a group of objects, such that the repositorysystem can determine implied access to objects based on the group.

The following FIGS. 3-5 show examples of information that can be managedby a repository system to determine entitlements to access entitiesstored in the repository system. Specifically, FIGS. 3 and 5 show howentitlements are managed based on the assets that have an associationwith entities. In FIG. 3, a diagram is shown illustrating a relationshipof entitlements to assets associated with entities according to anembodiment of the present invention. In particular, FIG. 3 shows arelationship between assets and entities in a repository system (e.g.,the repository system 110). One or more entities have an associationwith at least one asset in a repository system. An entitlementapplicable to an asset can be implied to one or more entities associatedwith the asset.

FIG. 3 shows a plurality of entities having a number (n) of entitiesthat can be stored by a repository system. For example, FIG. 3 shows anentity (E1) 310, an entity (E2) 312, an entity (E3) 314, an entity (E4)316, and an entity (En) 318. FIG. 3 shows a plurality of assets having anumber (m) of assets that are stored by the repository system. Forexample, FIG. 3 shows an asset (A1) 302, an asset (A2) 304, and an asset(Am) 306. Each of the assets A1 302-Am 306 can be stored in associationwith at least one of the entities E1 310-En 318. A1 302 can beassociated with E1 310 and E2 312. A2 304 can be associated with E2312-E4 316. Am 306 can be associated with E4 316 and En 318. Each of theentities E1 310-En 318 can have an association with at least one asset.

An entitlement granted to a role for access to an asset can be used tomanage access to entities having an association with the asset. Thistechnique can reduce an amount of processing performed by a repositorysystem to determine access to individual entities by determining accessto an entity based on one or more entitlements to access an assetassociated with the entity. FIG. 3 illustrates different entitlementsthat can be defined for an asset which are implied to the entitiesincluded in the asset.

In one example shown in FIG. 3, a first entitlement (ET1) 320 can grantaccess to A1 302 for an architect role. ET1 320 can imply an entitlementto access the entities E1 310 and E2 312 having an association with A1302. In FIG. 3, an entitlement can include information indicating one ormore roles to which the entitlement is granted, the asset(s) for whichthe entitlement is granted, functions that are permitted for theentitlement, or a combination thereof. For example, ET1 320 can bedefined for an architect role's access to the repository system, suchthat a user accessing the repository system in an architect role canperform functions including create, read, update, and delete for anasset, A1 302. In a second example shown in FIG. 3, a second entitlement(ET2) 330 can be granted for A2 304. ET2 330 can imply an entitlement toaccess the entities E2 312-E4 316 having an association with A2 304. ET2330 can be defined for an developer's access to the repository system,such that a user accessing the repository system in a developer role canperform functions including read and update for E2 304.

By managing access to entities based on one or more assets associatedwith the entity, a user can access an entity to perform differentactions when the user is entitled to access the asset under a specificrole. In a repository system having a large number of entities, managingaccess based on assets can reduce a burden on the repository system todetermine access to individual entities. Access to objects implied basedon access to an asset can enable the repository system to quicklyimplement change for access given to a role such that entities can beremoved from having an association with an asset or access can bemodified for an asset to imply changes to entities associated with theasset.

FIG. 4 shows data structures of an asset and entities associated with anasset according to an embodiment of the present invention. FIG. 4 showsan example of a data structure of an asset 410 that can be stored in arepository store (e.g., the repository store 170) by a repository system(e.g., the repository system 110). The A1 410 can include informationidentifying the asset such as a name of the asset (e.g., Governance), atype of the asset (e.g., a Governance Asset), and a description of theasset (e.g., Governance Asset). The A1 410 can include informationidentifying one or more entities associated with the A1 410. Forexample, A1 410 can be associated with an entity (E1) 412 and an entity(E2) 414. A data structure of an asset can include other informationsuch as attributes that define the asset.

FIG. 4 shows an example of a data structure for E1 412 and E2 414. Adata structure of an entity can include information identifying theentity such as a name of an entity, the type of the entity, adescription of the entity, and/or other attributes of the entity. Anentity can include information indicating one or more assets to whichthe entity has an association. An entity can include informationindicating a relationship with other entities. E1 412 includes a type ofthe entity (e.g., Composite) and a name of the entity (e.g., SOA Suite#1). E2 includes a type of the entity (e.g., Composite) and a name ofthe entity (e.g., SOA Suite #2).

FIG. 5 shows an access policy 500 indicating a criterion for anentitlement to access an asset (e.g., A1 410 of FIG. 4) according to anembodiment of the present invention. Although the access policy 500 isshown in one format as an example, it should be appreciated that variousdifferent formats are conceivable, which may be different from theaccess policy 500 as shown in FIG. 5. In FIG. 5, the access policy 500is shown in an Extended Markup Language (XML) format. As explainedabove, the criterion defining the access policy 500 can be provided tothe repository system by a user (e.g., an administrator). The accesspolicy 500 can be stored in the security store 160 and managed by therepository system 110. The access policy 500 is shown with entitlementinformation (e.g., the entitlement information 164) about an entitlementfor a role. The access policy 500 can include one or more entitlementscorresponding to one or more roles for accessing the repository system110. In certain embodiments, multiple access policies can be created,each for a different role, a different entitlement, another criterionfor an entitlement, or a combination thereof.

The access policy 500 can include information indicating an entitlementfor particular entity types that are governed by an asset. For example,the access policy 500 can identify an asset (e.g., “Governance Asset”)510 that is stored in the repository store 170. The access policy 500can indicate an entitlement for the asset 510. Actions 520 in theentitlement are those which are permitted for the asset 510. For examplethe action 520 can include a create action and a delete action. Theaccess policy 500 can indicate one or more roles 530, such as anarchitect role, each of which can be entitled to perform the actions520.

In some embodiments, the access policy 500 can include one or moreobligations, such as an obligation 540 and an obligation 550. Anobligation can indicate one or more entities that have a constraint fortheir access besides the access implied by the asset. An obligation caninclude a criterion indicating a restriction for accessing a particularentity in the asset corresponding to the entitlement. In FIG. 5, theobligation 540 specifically indicates that an asset, e.g., a compositeapplication “SOA Suite #1,” is permitted for the actions entitled to thearchitect role. Similarly, the obligation 550 specifically indicatesthat an asset, e.g., a composite application “SOA Suite #2,” ispermitted for the actions entitled to the architect role. Thus, anentitlement can provide a criterion to control access with respect toentities in an entitlement. As explained above, the security manager 140of FIG. 1 can provide these obligations to the repository manager 130 toenable the repository manager 130 to further determine whether an actionrequested by a user is permitted for an entity.

FIG. 6 shows a flowchart a process 600 for a process for managing accessto an entity implied by access to an asset associated with the entityaccording to an embodiment of the present invention. The process 600enables a repository system to determine whether a user is permitted toperform an action on an entity in a repository system based on a roleassociated with the user. Specifically, the process 600 enables arepository system to determine whether an entitlement for a role toaccess one or more assets implies a right to a user in the role toperform an action on an entity associated with one of the assets.

The process 600 can begin at block 605 by receiving a request by a userto perform an action on an entity of a plurality of entities in arepository system. The user can be associated with a role when accessingthe repository system. For example, a user with a role of an architectcan make a request to perform an update on a composite application, suchas an SOA Suite Application, for which an entity is stored in therepository system. Each entity in the repository system can beassociated with at least one asset in the repository system. An entitycan include information about an object stored in the repository system.

At block 610, the process 600 can determine one or more assetsaccessible by a role of a user associated with the user request. Forexample, the access policy 500 of FIG. 5 can be used to determine accessto the repository system for one or more assets accessible to anarchitect role of the user. Using the access policy 500, the repositorysystem can identify assets, such as a governance asset (“Governance#1”),which are accessible by the architect role.

At block 615, the process 600 can identify each entity associated withan asset accessible to the role. For example, a security policy (e.g.,the access policy 500) can further identify each entity that can beaccessed for an asset, e.g., the governance asset, which is accessibleto the architect role of the user. In the previous example of the accesspolicy 500, the repository system can identify an entity correspondingto a first composite application (“soasuite#1:Composite”) and an entitycorresponding to a second composite application(“soasuite#2:Composite”), both of which are associated with thegovernance asset accessible to the architect role.

At block 620, the process 600 can determine, based on a role of the userassociated with the user request, whether the user has an entitlement toaccess an asset associated with the entity for the requested action.Upon determining that the user is does not have an entitlement to accessan asset associated with the entity, then process 600 can proceed toblock 630. Upon determining that the user has an entitlement to accessan asset associated with the entity for the requested action, theprocess 600 can proceed to block 625.

Continuing from the previous example, the repository system candetermine, based on the user having an architect role, that the user hasthe entitlement to access a governance asset. Based on the access policy500, the governance asset is associated with an entity corresponding toa SOA composite application, such as a first composite application(“soasuite#1 :Composite”) and a second composite application(“soasuite#2Composite”). In this example, the process 600 proceeds toblock 625 because the governance asset is associated with an SOAcomposite application for which the action is requested.

At block 625, the process 600 can identify one or more actions that arepermitted for the role based on the entitlement to access the asset. Therepository system can analyze a access policy to identify the actionsthat are permitted for the asset accessible to the user based on therole. For example, the access policy 500 can be used to identify acreate action and a delete action, both of which are permitted to beperformed by the architect role on the governance asset.

Now returning to block 620, upon determining that the user is does nothave an entitlement to access an asset associated with the entity forthe requested action, then process 600 can proceed to block 630. Atblock 630, the process 600 can prevent the requested action from beingperformed because the user does not have an entitlement to access anasset association with the entity for the requested action. For example,based on the access policy 500, the repository system can preventperforming actions, such as a read action or an update action, which arenot permitted by the architect role on entities having an associationwith the governance asset. In some embodiments, upon determining thatthe requested action is a read action, the process 600 can prevent theentity for the requested action from being accessed and retrieved. Theuser is prevented from viewing information associated with the requestedentity because the requested entity cannot be accessed by the architectrole. In some embodiments, upon determining that the requested action isan update action, the process 600 can prevent an update from beingperformed on the entity for the requested action. Similarly, in certainembodiments, the process 600 can prevent other unpermitted actions, suchas create and delete, from being performed when any or all of theseactions are not permitted based on the role of the user. The process 600can proceed to end at block 645.

After completion of block 625, at block 635, the process 600 candetermine whether the one or more permitted actions includes therequested action. The requested action to be performed on the entity canbe permitted upon determining that the requested action is a permittedaction for the role. Upon determining that the requested action is notone of the permitted actions, the process 600 proceeds to block 630 toprevent the requested action from being performed and then can proceedto block 645 where the process 600 ends. Upon determining that the oneor more permitted actions includes the requested action, the process 600proceeds to block 640 to perform the requested action.

At block 640, the process 600 can perform the requested action upondetermining that the requested action is a permitted action. The process600 can proceed to end at block 645.

In certain embodiments, the process 600 can be implemented by certainembodiments of the repository system 110 of FIG. 1. The repositorysystem 110 can receive the request 108, from the client system 102, toperform an action on entity (e.g., the entity information) stored by therepository system 110. Using one or more access policies 162, therepository system 110 can determine one or more assets in the assetinformation 172 that are accessible by a role of a user that made therequest 108. The repository system 110 can identify each entityassociated with the assets accessible to the role of the user. Upondetermining that the entity indicated in the request 108 is included inone of the assets accessible to the role of the user, then therepository system 110 can determine, based on the entitlementinformation 164 in an access policy applicable to the role, the actionspermitted for one or more assets that include the entity. If one of theactions is an action indicated in the request 108, then the repositorysystem 108 can perform the action. Otherwise, the repository system willprevent the action for the request 108 from being performed.

Process 600 can be performed in an iterative manner for each actionrequested to be performed on one or more entities in a repository system(e.g., the repository system 110). Alternatively or additionally, blocks620-640 can be performed for each action requested to be perform for anentity. In certain embodiments, the action performed on an entity atblock 640 can vary based on the assets that include the entity and theactions the user is permitted to perform with respect to each assetassociated with the entity. While one action may not be permitted for anasset associated with the entity, the action may be permitted for adifferent asset associated with the entity.

It will be appreciated that process 600 is illustrative and thatvariations and modifications are possible. Action or operationsdescribed for process 600 as sequential may be executed in paralleland/or order of operations may be varied, and operations may bemodified, combined, added or omitted.

FIG. 7 depicts a simplified diagram of a distributed system 700 forimplementing one of the embodiments. The distributed system 700 canimplement the computing environment 100 of FIG. 1, the repository system110, and/or the client system 102. The distributed system 700 canimplement the process 600 of FIG. 6. In the illustrated embodiment,distributed system 700 includes one or more client computing devices702, 704, 706, and 708, which are configured to execute and operate aclient application such as a web browser, proprietary client (e.g.,Oracle Forms), or the like over one or more network(s) 710. In certainembodiments, the one or more client computing devices 702-708 caninclude the client system 102 of FIG. 1. Server 712 may becommunicatively coupled with remote client computing devices 702, 704,706, and 708 via network 710. The server 712 can include the repositorysystem 110 of FIG. 1.

In various embodiments, server 712 may be adapted to run one or moreservices or software applications provided by one or more of thecomponents of the system. The services or software applications caninclude nonvirtual and virtual environments. Virtual environments caninclude those used for virtual events, tradeshows, simulators,classrooms, shopping exchanges, and enterprises, whether two- orthree-dimensional (3D) representations, page-based logical environments,or otherwise. In some embodiments, these services may be offered asweb-based or cloud services or under a Software as a Service (SaaS)model to the users of client computing devices 702, 704, 706, and/or708. Users operating client computing devices 702, 704, 706, and/or 708may in turn utilize one or more client applications to interact withserver 712 to utilize the services provided by these components.

In the configuration depicted in the figure, the software components718, 720 and 722 of system 700 are shown as being implemented on server712. In other embodiments, one or more of the components of system 700and/or the services provided by these components may also be implementedby one or more of the client computing devices 702, 704, 706, and/or708. Users operating the client computing devices may then utilize oneor more client applications to use the services provided by thesecomponents. These components may be implemented in hardware, firmware,software, or combinations thereof. It should be appreciated that variousdifferent system configurations are possible, which may be differentfrom distributed system 700. The embodiment shown in the figure is thusone example of a distributed system for implementing an embodimentsystem and is not intended to be limiting.

Client computing devices 702, 704, 706, and/or 708 may be portablehandheld devices (e.g., an iPhone®, cellular telephone, an iPad®,computing tablet, a personal digital assistant (PDA)) or wearabledevices (e.g., a Google Glass® head mounted display), running softwaresuch as Microsoft Windows Mobile®, and/or a variety of mobile operatingsystems such as iOS, Windows Phone, Android, BlackBerry 10, Palm OS, andthe like, and being Internet, e-mail, short message service (SMS),Blackberry®, or other communication protocol enabled. The clientcomputing devices can be general purpose personal computers including,by way of example, personal computers and/or laptop computers runningvarious versions of Microsoft Windows®, Apple Macintosh®, and/or Linuxoperating systems. The client computing devices can be workstationcomputers running any of a variety of commercially-available UNIX® orUNIX-like operating systems, including without limitation the variety ofGNU/Linux operating systems, such as for example, Google Chrome OS.Alternatively, or in addition, client computing devices 702, 704, 706,and 708 may be any other electronic device, such as a thin-clientcomputer, an Internet-enabled gaming system (e.g., a Microsoft Xboxgaming console with or without a Kinect® gesture input device), and/or apersonal messaging device, capable of communicating over network(s) 710.

Although exemplary distributed system 700 is shown with four clientcomputing devices, any number of client computing devices may besupported. Other devices, such as devices with sensors, etc., mayinteract with server 712.

Network(s) 710 in distributed system 700 may be any type of networkfamiliar to those skilled in the art that can support datacommunications using any of a variety of commercially-availableprotocols, including without limitation TCP/IP (transmission controlprotocol/Internet protocol), SNA (systems network architecture), IPX(Internet packet exchange), AppleTalk, and the like. Merely by way ofexample, network(s) 710 can be a local area network (LAN), such as onebased on Ethernet, Token-Ring and/or the like. Network(s) 710 can be awide-area network and the Internet. It can include a virtual network,including without limitation a virtual private network (VPN), anintranet, an extranet, a public switched telephone network (PSTN), aninfra-red network, a wireless network (e.g., a network operating underany of the Institute of Electrical and Electronics (IEEE) 802.11 suiteof protocols, Bluetooth®, and/or any other wireless protocol); and/orany combination of these and/or other networks.

Server 712 may be composed of one or more general purpose computers,specialized server computers (including, by way of example, PC (personalcomputer) servers, UNIX® servers, mid-range servers, mainframecomputers, rack-mounted servers, etc.), server farms, server clusters,or any other appropriate arrangement and/or combination. Server 712 caninclude one or more virtual machines running virtual operating systems,or other computing architectures involving virtualization. One or moreflexible pools of logical storage devices can be virtualized to maintainvirtual storage devices for the server. Virtual networks can becontrolled by server 712 using software defined networking. In variousembodiments, server 712 may be adapted to run one or more services orsoftware applications described in the foregoing disclosure. Forexample, server 712 may correspond to a server for performing processingdescribed above according to an embodiment of the present disclosure.

Server 712 may run an operating system including any of those discussedabove, as well as any commercially available server operating system.Server 712 may also run any of a variety of additional serverapplications and/or mid-tier applications, including HTTP servers, FTPservers, CGI (common gateway interface) servers, JAVA® servers, databaseservers, and the like. Exemplary database servers include withoutlimitation those commercially available from Oracle, Microsoft, Sybase,IBM (International Business Machines), and the like.

In some implementations, server 712 may include one or more applicationsto analyze and consolidate data feeds and/or event updates received fromusers of client computing devices 702, 704, 706, and 708. As an example,data feeds and/or event updates may include, but are not limited to,Twitter® feeds, Facebook® updates or real-time updates received from oneor more third party information sources and continuous data streams,which may include real-time events related to sensor data applications,financial tickers, network performance measuring tools (e.g., networkmonitoring and traffic management applications), clickstream analysistools, automobile traffic monitoring, and the like. Server 712 may alsoinclude one or more applications to display the data feeds and/orreal-time events via one or more display devices of client computingdevices 702, 704, 706, and 708.

Distributed system 700 may also include one or more databases 714 and716. Databases 714 and 716 may reside in a variety of locations. By wayof example, one or more of databases 714 and 716 may reside on anon-transitory storage medium local to (and/or resident in) server 712.Alternatively, databases 714 and 716 may be remote from server 712 andin communication with server 712 via a network-based or dedicatedconnection. In one set of embodiments, databases 714 and 716 may residein a storage-area network (SAN). Similarly, any necessary files forperforming the functions attributed to server 712 may be stored locallyon server 712 and/or remotely, as appropriate. In one set ofembodiments, databases 714 and 716 may include relational databases,such as databases provided by Oracle, that are adapted to store, update,and retrieve data in response to SQL-formatted commands. The securitystore 160 of FIG. 1 and/or the repository store 170 of FIG. 1 can beincluded in the one or more databases 714 and 716.

FIG. 8 is a simplified block diagram of one or more components of asystem environment 800 by which services provided by one or morecomponents of an embodiment system may be offered as cloud services, inaccordance with an embodiment of the present disclosure. The systemenvironment 800 can include or implement the computing environment 100of FIG. 1, the repository system 110, and/or the client system 102. Thesystem environment 800 can implement the process 600 of FIG. 6. In theillustrated embodiment, system environment 800 includes one or moreclient computing devices 804, 806, and 808 that may be used by users tointeract with a cloud infrastructure system 802 that provides cloudservices. The client computing devices may be configured to operate aclient application such as a web browser, a proprietary clientapplication (e.g., Oracle Forms), or some other application, which maybe used by a user of the client computing device to interact with cloudinfrastructure system 802 to use services provided by cloudinfrastructure system 802.

It should be appreciated that cloud infrastructure system 802 depictedin the figure may have other components than those depicted. Further,the embodiment shown in the figure is only one example of a cloudinfrastructure system that may incorporate an embodiment of theinvention. For example, the cloud infrastructure system 802 can includeor implement the repository system 110 of FIGS. 1 and 2. In some otherembodiments, cloud infrastructure system 802 may have more or fewercomponents than shown in the figure, may combine two or more components,or may have a different configuration or arrangement of components.

Client computing devices 804, 806, and 808 may be devices similar tothose described above for 702, 704, 706, and 708.

Although exemplary system environment 800 is shown with three clientcomputing devices, any number of client computing devices may besupported. Other devices such as devices with sensors, etc. may interactwith cloud infrastructure system 802.

Network(s) 810 may facilitate communications and exchange of databetween clients 804, 806, and 808 and cloud infrastructure system 802.Each network may be any type of network familiar to those skilled in theart that can support data communications using any of a variety ofcommercially-available protocols, including those described above fornetwork(s) 710.

Cloud infrastructure system 802 may comprise one or more computersand/or servers that may include those described above for server 712.

In certain embodiments, services provided by the cloud infrastructuresystem may include a host of services that are made available to usersof the cloud infrastructure system on demand, such as online datastorage and backup solutions, Web-based e-mail services, hosted officesuites and document collaboration services, database processing, managedtechnical support services, and the like. Services provided by the cloudinfrastructure system can dynamically scale to meet the needs of itsusers. A specific instantiation of a service provided by cloudinfrastructure system is referred to herein as a “service instance.” Ingeneral, any service made available to a user via a communicationnetwork, such as the Internet, from a cloud service provider's system isreferred to as a “cloud service.” Typically, in a public cloudenvironment, servers and systems that make up the cloud serviceprovider's system are different from the customer's own on-premisesservers and systems. For example, a cloud service provider's system mayhost an application, and a user may, via a communication network such asthe Internet, on demand, order and use the application.

In some examples, a service in a computer network cloud infrastructuremay include protected computer network access to storage, a hosteddatabase, a hosted web server, a software application, or other serviceprovided by a cloud vendor to a user, or as otherwise known in the art.For example, a service can include password-protected access to remotestorage on the cloud through the Internet. As another example, a servicecan include a web service-based hosted relational database and ascript-language middleware engine for private use by a networkeddeveloper. As another example, a service can include access to an emailsoftware application hosted on a cloud vendor's web site.

In certain embodiments, cloud infrastructure system 802 may include asuite of applications, middleware, and database service offerings thatare delivered to a customer in a self-service, subscription-based,elastically scalable, reliable, highly available, and secure manner. Anexample of such a cloud infrastructure system is the Oracle Public Cloudprovided by the present assignee.

Large volumes of data, sometimes referred to as big data, can be hostedand/or manipulated by the infrastructure system on many levels and atdifferent scales. Such data can include data sets that are so large andcomplex that it can be difficult to process using typical databasemanagement tools or traditional data processing applications. Forexample, terabytes of data may be difficult to store, retrieve, andprocess using personal computers or their rack-based counterparts. Suchsizes of data can be difficult to work with using most currentrelational database management systems and desktop statistics andvisualization packages. They can require massively parallel processingsoftware running thousands of server computers, beyond the structure ofcommonly used software tools, to capture, curate, manage, and processthe data within a tolerable elapsed time.

Extremely large data sets can be stored and manipulated by analysts andresearchers to visualize large amounts of data, detect trends, and/orotherwise interact with the data. Tens, hundreds, or thousands ofprocessors linked in parallel can act upon such data in order to presentit or simulate external forces on the data or what it represents. Thesedata sets can involve structured data, such as that organized in adatabase or otherwise according to a structured model, and/orunstructured data (e.g., emails, images, data blobs (binary largeobjects), web pages, complex event processing). By leveraging an abilityof an embodiment to relatively quickly focus more (or fewer) computingresources upon an objective, the cloud infrastructure system may bebetter available to carry out tasks on large data sets based on demandfrom a business, government agency, research organization, privateindividual, group of like-minded individuals or organizations, or otherentity.

In various embodiments, cloud infrastructure system 802 may be adaptedto automatically provision, manage and track a customer's subscriptionto services offered by cloud infrastructure system 802. Cloudinfrastructure system 802 may provide the cloud services via differentdeployment models. For example, services may be provided under a publiccloud model in which cloud infrastructure system 802 is owned by anorganization selling cloud services (e.g., owned by Oracle) and theservices are made available to the general public or different industryenterprises. As another example, services may be provided under aprivate cloud model in which cloud infrastructure system 802 is operatedsolely for a single organization and may provide services for one ormore entities within the organization. The cloud services may also beprovided under a community cloud model in which cloud infrastructuresystem 802 and the services provided by cloud infrastructure system 802are shared by several organizations in a related community. The cloudservices may also be provided under a hybrid cloud model, which is acombination of two or more different models.

In some embodiments, the services provided by cloud infrastructuresystem 802 may include one or more services provided under Software as aService (SaaS) category, Platform as a Service (PaaS) category,Infrastructure as a Service (IaaS) category, or other categories ofservices including hybrid services. A customer, via a subscriptionorder, may order one or more services provided by cloud infrastructuresystem 802. Cloud infrastructure system 802 then performs processing toprovide the services in the customer's subscription order.

In some embodiments, the services provided by cloud infrastructuresystem 802 may include, without limitation, application services,platform services and infrastructure services. In some examples,application services may be provided by the cloud infrastructure systemvia a SaaS platform. The SaaS platform may be configured to providecloud services that fall under the SaaS category. For example, the SaaSplatform may provide capabilities to build and deliver a suite ofon-demand applications on an integrated development and deploymentplatform. The SaaS platform may manage and control the underlyingsoftware and infrastructure for providing the SaaS services. Byutilizing the services provided by the SaaS platform, customers canutilize applications executing on the cloud infrastructure system.Customers can acquire the application services without the need forcustomers to purchase separate licenses and support. Various differentSaaS services may be provided. Examples include, without limitation,services that provide solutions for sales performance management,enterprise integration, and business flexibility for largeorganizations.

In some embodiments, platform services may be provided by the cloudinfrastructure system via a PaaS platform. The PaaS platform may beconfigured to provide cloud services that fall under the PaaS category.Examples of platform services may include without limitation servicesthat enable organizations (such as Oracle) to consolidate existingapplications on a shared, common architecture, as well as the ability tobuild new applications that leverage the shared services provided by theplatform. The PaaS platform may manage and control the underlyingsoftware and infrastructure for providing the PaaS services. Customerscan acquire the PaaS services provided by the cloud infrastructuresystem without the need for customers to purchase separate licenses andsupport. Examples of platform services include, without limitation,Oracle Java Cloud Service (JCS), Oracle Database Cloud Service (DBCS),and others.

By utilizing the services provided by the PaaS platform, customers canemploy programming languages and tools supported by the cloudinfrastructure system and also control the deployed services. In someembodiments, platform services provided by the cloud infrastructuresystem may include database cloud services, middleware cloud services(e.g., Oracle Fusion Middleware services), and Java cloud services. Inone embodiment, database cloud services may support shared servicedeployment models that enable organizations to pool database resourcesand offer customers a Database as a Service in the form of a databasecloud. Middleware cloud services may provide a platform for customers todevelop and deploy various business applications, and Java cloudservices may provide a platform for customers to deploy Javaapplications, in the cloud infrastructure system.

Various different infrastructure services may be provided by an IaaSplatform in the cloud infrastructure system. The infrastructure servicesfacilitate the management and control of the underlying computingresources, such as storage, networks, and other fundamental computingresources for customers utilizing services provided by the SaaS platformand the PaaS platform.

In certain embodiments, cloud infrastructure system 802 may also includeinfrastructure resources 830 for providing the resources used to providevarious services to customers of the cloud infrastructure system. In oneembodiment, infrastructure resources 830 may include pre-integrated andoptimized combinations of hardware, such as servers, storage, andnetworking resources to execute the services provided by the PaaSplatform and the SaaS platform.

In some embodiments, resources in cloud infrastructure system 802 may beshared by multiple users and dynamically re-allocated per demand.Additionally, resources may be allocated to users in different timezones. For example, cloud infrastructure system 830 may enable a firstset of users in a first time zone to utilize resources of the cloudinfrastructure system for a specified number of hours and then enablethe re-allocation of the same resources to another set of users locatedin a different time zone, thereby maximizing the utilization ofresources.

In certain embodiments, a number of internal shared services 832 may beprovided that are shared by different components or modules of cloudinfrastructure system 802 and by the services provided by cloudinfrastructure system 802. These internal shared services may include,without limitation, a security and identity service, an integrationservice, an enterprise repository service, an enterprise managerservice, a virus scanning and white list service, a high availability,backup and recovery service, service for enabling cloud support, anemail service, a notification service, a file transfer service, and thelike.

In certain embodiments, cloud infrastructure system 802 may providecomprehensive management of cloud services (e.g., SaaS, PaaS, and IaaSservices) in the cloud infrastructure system. In one embodiment, cloudmanagement functionality may include capabilities for provisioning,managing and tracking a customer's subscription received by cloudinfrastructure system 802, and the like.

In one embodiment, as depicted in the figure, cloud managementfunctionality may be provided by one or more modules, such as an ordermanagement module 820, an order orchestration module 822, an orderprovisioning module 824, an order management and monitoring module 826,and an identity management module 828. These modules may include or beprovided using one or more computers and/or servers, which may begeneral purpose computers, specialized server computers, server farms,server clusters, or any other appropriate arrangement and/orcombination.

In exemplary operation 834, a customer using a client device, such asclient device 804, 806 or 808, may interact with cloud infrastructuresystem 802 by requesting one or more services provided by cloudinfrastructure system 802 and placing an order for a subscription forone or more services offered by cloud infrastructure system 802. Incertain embodiments, the customer may access a cloud User Interface(UI), cloud UI 812, cloud UI 814 and/or cloud UI 816 and place asubscription order via these UIs. The order information received bycloud infrastructure system 802 in response to the customer placing anorder may include information identifying the customer and one or moreservices offered by the cloud infrastructure system 802 that thecustomer intends to subscribe to.

After an order has been placed by the customer, the order information isreceived via the cloud UIs, 812, 814 and/or 816.

At operation 836, the order is stored in order database 818. Orderdatabase 818 can be one of several databases operated by cloudinfrastructure system 818 and operated in conjunction with other systemelements.

At operation 838, the order information is forwarded to an ordermanagement module 820. In some instances, order management module 820may be configured to perform billing and accounting functions related tothe order, such as verifying the order, and upon verification, bookingthe order.

At operation 840, information regarding the order is communicated to anorder orchestration module 822. Order orchestration module 822 mayutilize the order information to orchestrate the provisioning ofservices and resources for the order placed by the customer. In someinstances, order orchestration module 822 may orchestrate theprovisioning of resources to support the subscribed services using theservices of order provisioning module 824.

In certain embodiments, order orchestration module 822 enables themanagement of business processes associated with each order and appliesbusiness logic to determine whether an order should proceed toprovisioning. At operation 842, upon receiving an order for a newsubscription, order orchestration module 822 sends a request to orderprovisioning module 824 to allocate resources and configure thoseresources needed to fulfill the subscription order. Order provisioningmodule 824 enables the allocation of resources for the services orderedby the customer. Order provisioning module 824 provides a level ofabstraction between the cloud services provided by cloud infrastructuresystem 800 and the physical implementation layer that is used toprovision the resources for providing the requested services. Orderorchestration module 822 may thus be isolated from implementationdetails, such as whether or not services and resources are actuallyprovisioned on the fly or pre-provisioned and only allocated/assignedupon request.

At operation 844, once the services and resources are provisioned, anotification of the provided service may be sent to customers on clientdevices 804, 806 and/or 808 by order provisioning module 824 of cloudinfrastructure system 802.

At operation 846, the customer's subscription order may be managed andtracked by an order management and monitoring module 826. In someinstances, order management and monitoring module 826 may be configuredto collect usage statistics for the services in the subscription order,such as the amount of storage used, the amount data transferred, thenumber of users, and the amount of system up time and system down time.

In certain embodiments, cloud infrastructure system 800 may include anidentity management module 828. Identity management module 828 may beconfigured to provide identity services, such as access management andauthorization services in cloud infrastructure system 800. In someembodiments, identity management module 828 may control informationabout customers who wish to utilize the services provided by cloudinfrastructure system 802. Such information can include information thatauthenticates the identities of such customers and information thatdescribes which actions those customers are authorized to performrelative to various system resources (e.g., files, directories,applications, communication ports, memory segments, etc.) Identitymanagement module 828 may also include the management of descriptiveinformation about each customer and about how and by whom thatdescriptive information can be accessed and modified.

FIG. 9 illustrates an exemplary computer system 900, in which variousembodiments of the present invention may be implemented. The system 900may be used to implement any of the computer systems described above.For example, all or some of the elements of the computing environment100 of FIG. 1, the repository system 110, and/or the client system 102can be included or implemented in the system 900. The system 900 canimplement the process 600 of FIG. 6. As shown in the figure, computersystem 900 includes a processing unit 904 that communicates with anumber of peripheral subsystems via a bus subsystem 902. Theseperipheral subsystems may include a processing acceleration unit 906, anI/O subsystem 908, a storage subsystem 918 and a communicationssubsystem 924. Storage subsystem 918 includes tangible computer-readablestorage media 922 and a system memory 910.

Bus subsystem 902 provides a mechanism for letting the variouscomponents and subsystems of computer system 900 communicate with eachother as intended. Although bus subsystem 902 is shown schematically asa single bus, alternative embodiments of the bus subsystem may utilizemultiple buses. Bus subsystem 902 may be any of several types of busstructures including a memory bus or memory controller, a peripheralbus, and a local bus using any of a variety of bus architectures. Forexample, such architectures may include an Industry StandardArchitecture (ISA) bus, Micro Channel Architecture (MCA) bus, EnhancedISA (EISA) bus, Video Electronics Standards Association (VESA) localbus, and Peripheral Component Interconnect (PCI) bus, which can beimplemented as a Mezzanine bus manufactured to the IEEE P1386.1standard.

Processing unit 904, which can be implemented as one or more integratedcircuits (e.g., a conventional microprocessor or microcontroller),controls the operation of computer system 900. One or more processorsmay be included in processing unit 904. These processors may includesingle core or multicore processors. In certain embodiments, processingunit 904 may be implemented as one or more independent processing units932 and/or 934 with single or multicore processors included in eachprocessing unit. In other embodiments, processing unit 904 may also beimplemented as a quad-core processing unit formed by integrating twodual-core processors into a single chip.

In various embodiments, processing unit 904 can execute a variety ofprograms in response to program code and can maintain multipleconcurrently executing programs or processes. At any given time, some orall of the program code to be executed can be resident in processor(s)904 and/or in storage subsystem 918. Through suitable programming,processor(s) 904 can provide various functionalities described above.Computer system 900 may additionally include a processing accelerationunit 906, which can include a digital signal processor (DSP), aspecial-purpose processor, and/or the like.

I/O subsystem 908 may include user interface input devices and userinterface output devices. User interface input devices may include akeyboard, pointing devices such as a mouse or trackball, a touchpad ortouch screen incorporated into a display, a scroll wheel, a click wheel,a dial, a button, a switch, a keypad, audio input devices with voicecommand recognition systems, microphones, and other types of inputdevices. User interface input devices may include, for example, motionsensing and/or gesture recognition devices such as the Microsoft Kinect®motion sensor that enables users to control and interact with an inputdevice, such as the Microsoft Xbox® 360 game controller, through anatural user interface using gestures and spoken commands. Userinterface input devices may also include eye gesture recognition devicessuch as the Google Glass® blink detector that detects eye activity(e.g., ‘blinking’ while taking pictures and/or making a menu selection)from users and transforms the eye gestures as input into an input device(e.g., Google Glass®). Additionally, user interface input devices mayinclude voice recognition sensing devices that enable users to interactwith voice recognition systems (e.g., Siri® navigator), through voicecommands.

User interface input devices may also include, without limitation, threedimensional (3D) mice, joysticks or pointing sticks, gamepads andgraphic tablets, and audio/visual devices such as speakers, digitalcameras, digital camcorders, portable media players, webcams, imagescanners, fingerprint scanners, barcode reader 3D scanners, 3D printers,laser rangefinders, and eye gaze tracking devices. Additionally, userinterface input devices may include, for example, medical imaging inputdevices such as computed tomography, magnetic resonance imaging,position emission tomography, medical ultrasonography devices. Userinterface input devices may also include, for example, audio inputdevices such as MIDI keyboards, digital musical instruments and thelike.

User interface output devices may include a display subsystem, indicatorlights, or non-visual displays such as audio output devices, etc. Thedisplay subsystem may be a cathode ray tube (CRT), a flat-panel device,such as that using a liquid crystal display (LCD) or plasma display, aprojection device, a touch screen, and the like. In general, use of theterm “output device” is intended to include all possible types ofdevices and mechanisms for outputting information from computer system900 to a user or other computer. For example, user interface outputdevices may include, without limitation, a variety of display devicesthat visually convey text, graphics and audio/video information such asmonitors, printers, speakers, headphones, automotive navigation systems,plotters, voice output devices, and modems.

Computer system 900 may comprise a storage subsystem 918 that comprisessoftware elements, shown as being currently located within a systemmemory 910. System memory 910 may store program instructions that areloadable and executable on processing unit 904, as well as datagenerated during the execution of these programs.

Depending on the configuration and type of computer system 900, systemmemory 910 may be volatile (such as random access memory (RAM)) and/ornon-volatile (such as read-only memory (ROM), flash memory, etc.) TheRAM typically contains data and/or program modules that are immediatelyaccessible to and/or presently being operated and executed by processingunit 904. In some implementations, system memory 910 may includemultiple different types of memory, such as static random access memory(SRAM) or dynamic random access memory (DRAM). In some implementations,a basic input/output system (BIOS), containing the basic routines thathelp to transfer information between elements within computer system900, such as during start-up, may typically be stored in the ROM. By wayof example, and not limitation, system memory 910 also illustratesapplication programs 912, which may include client applications, Webbrowsers, mid-tier applications, relational database management systems(RDBMS), etc., program data 914, and an operating system 916. By way ofexample, operating system 916 may include various versions of MicrosoftWindows®, Apple Macintosh®, and/or Linux operating systems, a variety ofcommercially-available UNIX® or UNIX-like operating systems (includingwithout limitation the variety of GNU/Linux operating systems, theGoogle Chrome® OS, and the like) and/or mobile operating systems such asiOS, Windows® Phone, Android® OS, BlackBerry® 10 OS, and Palm® OSoperating systems.

Storage subsystem 918 may also provide a tangible computer-readablestorage medium for storing the basic programming and data constructsthat provide the functionality of some embodiments. Software (programs,code modules, instructions) that when executed by a processor providethe functionality described above may be stored in storage subsystem918. These software modules or instructions may be executed byprocessing unit 904. Storage subsystem 918 may also provide a repositoryfor storing data used in accordance with the present invention.

Storage subsystem 900 may also include a computer-readable storage mediareader 920 that can further be connected to computer-readable storagemedia 922. Together and, optionally, in combination with system memory910, computer-readable storage media 922 may comprehensively representremote, local, fixed, and/or removable storage devices plus storagemedia for temporarily and/or more permanently containing, storing,transmitting, and retrieving computer-readable information.

Computer-readable storage media 922 containing code, or portions ofcode, can also include any appropriate media known or used in the art,including storage media and communication media, such as but not limitedto, volatile and non-volatile, removable and non-removable mediaimplemented in any method or technology for storage and/or transmissionof information. This can include tangible, non-transitorycomputer-readable storage media such as RAM, ROM, electronicallyerasable programmable ROM (EEPROM), flash memory or other memorytechnology, CD-ROM, digital versatile disk (DVD), or other opticalstorage, magnetic cassettes, magnetic tape, magnetic disk storage orother magnetic storage devices, or other tangible computer readablemedia. When specified, this can also include nontangible, transitorycomputer-readable media, such as data signals, data transmissions, orany other medium which can be used to transmit the desired informationand which can be accessed by computing system 900.

By way of example, computer-readable storage media 922 may include ahard disk drive that reads from or writes to non-removable, nonvolatilemagnetic media, a magnetic disk drive that reads from or writes to aremovable, nonvolatile magnetic disk, and an optical disk drive thatreads from or writes to a removable, nonvolatile optical disk such as aCD ROM, DVD, and Blu-Ray® disk, or other optical media.Computer-readable storage media 922 may include, but is not limited to,Zip® drives, flash memory cards, universal serial bus (USB) flashdrives, secure digital (SD) cards, DVD disks, digital video tape, andthe like. Computer-readable storage media 922 may also include,solid-state drives (SSD) based on non-volatile memory such asflash-memory based SSDs, enterprise flash drives, solid state ROM, andthe like, SSDs based on volatile memory such as solid state RAM, dynamicRAM, static RAM, DRAM-based SSDs, magnetoresistive RAM (MRAM) SSDs, andhybrid SSDs that use a combination of DRAM and flash memory based SSDs.The disk drives and their associated computer-readable media may providenon-volatile storage of computer-readable instructions, data structures,program modules, and other data for computer system 900.

Communications subsystem 924 provides an interface to other computersystems and networks. Communications subsystem 924 serves as aninterface for receiving data from and transmitting data to other systemsfrom computer system 900. For example, communications subsystem 924 mayenable computer system 900 to connect to one or more devices via theInternet. In some embodiments communications subsystem 924 can includeradio frequency (RF) transceiver components for accessing wireless voiceand/or data networks (e.g., using cellular telephone technology,advanced data network technology, such as 3G, 4G or EDGE (enhanced datarates for global evolution), WiFi (IEEE 802.11 family standards, orother mobile communication technologies, or any combination thereof),global positioning system (GPS) receiver components, and/or othercomponents. In some embodiments communications subsystem 924 can providewired network connectivity (e.g., Ethernet) in addition to or instead ofa wireless interface.

In some embodiments, communications subsystem 924 may also receive inputcommunication in the form of structured and/or unstructured data feeds926, event streams 928, event updates 930, and the like on behalf of oneor more users who may use computer system 900.

By way of example, communications subsystem 924 may be configured toreceive data feeds 926 in real-time from users of social media networksand/or other communication services such as Twitter® feeds, Facebook®updates, web feeds such as Rich Site Summary (RSS) feeds, and/orreal-time updates from one or more third party information sources.

Additionally, communications subsystem 924 may also be configured toreceive data in the form of continuous data streams, which may includeevent streams 928 of real-time events and/or event updates 930, that maybe continuous or unbounded in nature with no explicit end. Examples ofapplications that generate continuous data may include, for example,sensor data applications, financial tickers, network performancemeasuring tools (e.g. network monitoring and traffic managementapplications), clickstream analysis tools, automobile trafficmonitoring, and the like.

Communications subsystem 924 may also be configured to output thestructured and/or unstructured data feeds 926, event streams 928, eventupdates 930, and the like to one or more databases that may be incommunication with one or more streaming data source computers coupledto computer system 900.

Computer system 900 can be one of various types, including a handheldportable device (e.g., an iPhone® cellular phone, an iPad® computingtablet, a PDA), a wearable device (e.g., a Google Glass® head mounteddisplay), a PC, a workstation, a mainframe, a kiosk, a server rack, orany other data processing system.

Due to the ever-changing nature of computers and networks, thedescription of computer system 900 depicted in the figure is intendedonly as a specific example. Many other configurations having more orfewer components than the system depicted in the figure are possible.For example, customized hardware might also be used and/or particularelements might be implemented in hardware, firmware, software (includingapplets), or a combination. Further, connection to other computingdevices, such as network input/output devices, may be employed. Based onthe disclosure and teachings provided herein, a person of ordinary skillin the art will appreciate other ways and/or methods to implement thevarious embodiments.

In the foregoing specification, aspects of the invention are describedwith reference to specific embodiments thereof, but those skilled in theart will recognize that the invention is not limited thereto. Variousfeatures and aspects of the above-described invention may be usedindividually or jointly. Further, embodiments can be utilized in anynumber of environments and applications beyond those described hereinwithout departing from the broader spirit and scope of thespecification. The specification and drawings are, accordingly, to beregarded as illustrative rather than restrictive.

What is claimed is:
 1. A method comprising: receiving, by a computingsystem, a user request including a query specifying one or more criteriaindicating a plurality of entities to which to perform an action,wherein the plurality of entities are included in a repository system,each entity in the plurality of entities having an association with atleast one asset in the repository system, wherein each entity in theplurality of entities includes information defining a differentcomputing object of a plurality of computing objects in a computingenvironment of an enterprise, wherein the plurality of computing objectsincludes at least one of a computing device or an application, andwherein each of the at least one asset corresponds to a respectivecollection of entities in the plurality of entities; determining, by thecomputing system, based on a role of a user associated with the userrequest, one or more assets the user is entitled to access, wherein theone or more assets are associated with one entity in the plurality ofentities; modifying the one or more criteria of the query to include atleast one additional criteria, wherein the at least one additionalcriteria indicates one or more entities to which the action is not to beperformed, the one or more entities being included in the plurality ofentities, wherein the one or more entities are not associated with theone or more assets the user is entitled to access; upon determining thatthe user is entitled to access the one or more assets associated withthe one entity in the plurality of entities, identifying, by thecomputing system, one or more actions that are permitted for the one ormore assets by the role based on having an entitlement to access the oneor more assets, wherein the one or more actions that are permitted forthe one or more assets are permitted to be performed on each entity ofthe plurality of entities associated with the one or more assets;determining, by the computing system, whether the action is a permittedaction being included in the one or more actions permitted to beperformed on each entity of the plurality of entities associated withthe one or more assets; and upon determining that the action is apermitted action, performing, by the computing system, based on themodified one or more criteria, the action on the plurality of entitiesexcluding the one or more entities.
 2. The method of claim 1, furthercomprising: upon determining that the action is not a permitted action,preventing the action from being performed on the plurality of entities.3. The method of claim 2, wherein the action is to retrieve informationassociated with the plurality of entities excluding the one or moreentities, and wherein preventing the action from being performed on theplurality of entities includes preventing information associated withthe plurality of entities from being provided to the user.
 4. The methodof claim 1, wherein the action is to modify information associated withthe plurality of entities excluding the one or more entities, andwherein preventing the action from being performed includes preventingthe information associated with the plurality of entities from beingmodified according to the user request.
 5. The method of claim 1,wherein the action is to remove information associated with theplurality of entities excluding the one or more entities, and whereinpreventing the action from being performed includes preventing theinformation associated with the plurality of entities from beingremoved.
 6. The method of claim 1, wherein the action is to create theplurality of entities excluding the one or more entities, and whereinpreventing the action from being performed includes preventing theplurality of entities from being created.
 7. The method of claim 1,wherein the plurality of entities in the repository system includes anapplication, a process, a service, a method, or a combination thereof.8. A system comprising: one or more processors; and one or more memorydevices coupled to the one or more processors, the one or more memorydevices including instructions that, when executed on the one or moreprocessors, cause the one or more processors to: receive a user requestincluding a query specifying one or more criteria indicating a pluralityof entities to which to perform an action, wherein the plurality ofentities are included in a repository system, each entity in theplurality of entities having an association with at least one asset inthe repository system, wherein each entity in the plurality of entitiesincludes information defining a different computing object of aplurality of computing objects in a computing environment of anenterprise, wherein the plurality of computing objects includes at leastone of a computing device or an application, and wherein each of the atleast one asset corresponds to a respective collection of entities inthe plurality of entities; determine, based on a role of a userassociated with the user request, one or more assets the user isentitled to access, wherein the one or more assets are associated withone entity in the plurality of entities; modifying the one or morecriteria of the query to include at least one additional criteria,wherein the at least one additional criteria indicates one or moreentities to which the action is not to be performed, the one or moreentities being included in the plurality of entities, wherein the one ormore entities are not associated with the one or more assets the user isentitled to access; upon determining that the user is entitled to accessthe one or more assets associated with the one entity in the pluralityof entities, identify one or more actions that are permitted for the oneor more assets by the role based on having an entitlement to access theone or more assets, wherein the one or more actions that are permittedfor the one or more assets are permitted to be performed on each entityof the plurality of entities associated with the one or more assets;determine whether the action is a permitted action being included in theone or more actions permitted to be performed on each entity of theplurality of entities associated with the one or more assets; and upondetermining that the action is a permitted action, perform, based on themodified one or more criteria, the action on the plurality of entitiesexcluding the one or more entities.
 9. The system of claim 8, whereinthe action is to modify information associated with the plurality ofentities excluding the one or more entities, and wherein preventing theaction from being performed includes preventing the informationassociated with the plurality of entities from being modified accordingto the user request.
 10. The system of claim 8, wherein the action is toremove information associated with the plurality of entities excludingthe one or more entities, and wherein preventing the action from beingperformed includes preventing the information associated with theplurality of entities from being removed.
 11. The system of claim 8,wherein the action is to create the plurality of entities excluding theone or more entities, and wherein preventing the action from beingperformed includes preventing the plurality of entities from beingcreated.
 12. A computer-readable memory storing a set of instructionsthat, when executed by one or more processors, causes the one or moreprocessors to: receive a user request including a query specifying oneor more criteria indicating a plurality of entities to which to performan action, wherein the plurality of entities are included in arepository system, each entity in the plurality of entities having anassociation with at least one asset in the repository system, whereineach entity in the plurality of entities includes information defining adifferent computing object of a plurality of computing objects in acomputing environment of an enterprise, wherein the plurality ofcomputing objects includes at least one of a computing device or anapplication, and wherein each of the at least one asset corresponds to arespective collection of entities in the plurality of entities;determine, based on a role of a user associated with the user request,one or more assets the user is entitled to access, wherein the one ormore assets are associated with one entity in the plurality of entities;modifying the one or more criteria of the query to include at least oneadditional criteria, wherein the at least one additional criteriaindicates one or more entities to which the action is not to beperformed, the one or more entities being included in the plurality ofentities, wherein the one or more entities are not associated with theone or more assets the user is entitled to access; upon determining thatthe user is entitled to access the one or more assets associated withthe one entity in the plurality of entities, identify one or moreactions that are permitted for the one or more assets by the role basedon having an entitlement to access the one or more assets, wherein theone or more actions that are permitted for the one or more assets arepermitted to be performed on each entity of the plurality of entitiesassociated with the one or more assets; determine whether the action isa permitted action being included in the one or more actions permittedto be performed on each entity of the plurality of entities associatedwith the one or more assets; and upon determining that the action is apermitted action, perform, based on the modified one or more criteria,the action on the plurality of entities excluding the one or moreentities.
 13. The computer-readable memory of claim 12, wherein the setof instructions, when executed by one or more processors further, causesthe one or more processors to: upon determining that the action is not apermitted action, prevent the action from being performed on theplurality of entities.